Apache Log4j Shell POC exploits
On December 9, 2021, security researchers discovered a flaw in the code of a software library used for logging. The software library, Log4j, is built on a popular coding language, Java, that has widespread use in other software and applications used worldwide. This flaw in Log4j is estimated to be present in over 100 million instances globally.
The flaw, also known as a vulnerability by the security community, was rated a 10 out of 10 on the Common Vulnerability Scoring System, or CVSS, due to the potential impact that it can have if leveraged by attackers. Details of the vulnerability can be found in the National Vulnerability Database (NVD) under the heading CVE-2021–44228.
In this article, I’m using a vulnerable web app to demonstrate the POC of Apache log4j
Log4shell POC repository : https://github.com/kozmer/log4j-shell-poc
First to set up the vulnerable web app environment, we need to use docker
A docker setup manual for kali linux 2021.1 version :
Before starting, ensure your Kali Linux is fully up to date.
Add Docker PGP key (saved to
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-archive-keyring.gpg >/dev/null
Configure Docker APT repository (Kali is based on Debian testing, which will be called buster upon release, and Docker now has support for it):
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt-get update
If you had older versions of Docker installed, uninstall them:
sudo apt-get remove -y docker docker-engine docker.io
sudo apt-get install -y docker-ce
sudo docker run hello-world
To allow your non-root user to use Docker, add the user to
sudo usermod -aG docker $USER
Setup the POC lab
1: docker build -t log4j-shell-poc .
2: docker run — network host log4j-shell-poc
docker run network hosts
Once it’s running, we can access it from localhost:8080
Now setup poc scripts
This poc python scripts will automate the attacking process
pip install -r requirements.txt
Start netcat listener for the reverse connection
Launch the exploit.
Note: For this to work, the extracted java archive has to be named:
jdk1.8.0_20, and be in the same directory.
downlaod the jdk package
Java Archive Downloads - Java SE 8
Go to the Oracle Java Archive The JDK is a development environment for building applications using the Java programming…
Note: You do need to make an account to be able to download the package.
Once you have downloaded and extracted the archive, you can find
java and a few related binaries in
Note: Please make sure to extract the jdk folder into this repository with the same name in order for it to work.
❯ tar -xf jdk-8u20-linux-x64.tar.gz❯ ./jdk1.8.0_20/bin/java -version
java version "1.8.0_20"
Java(TM) SE Runtime Environment (build 1.8.0_20-b26)
Java HotSpot(TM) 64-Bit Server VM (build 25.20-b23, mixed mode)
rename it to jdk1.8.0_20 (no matter what version you downloaded, to match the poc)
Now launch the poc exploit
pasting the exploit payload to username , and enter a random password, hit login
we see immediately the exploit.class script is being sent to the server
Look at netcat listener , and we got the reverse shell!
It allows us to remote code execute on the server that can give an attacker full control of any impacted system.